Analysis
-
max time kernel
144s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05/04/2024, 01:29
Static task
static1
Behavioral task
behavioral1
Sample
3137663df90055b5c2dd92ff91ed1a0edc6965dbd50f83578643c727b36b060b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3137663df90055b5c2dd92ff91ed1a0edc6965dbd50f83578643c727b36b060b.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Borteskamoteringers/Fridtjof.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Borteskamoteringers/Fridtjof.ps1
Resource
win10v2004-20240226-en
General
-
Target
3137663df90055b5c2dd92ff91ed1a0edc6965dbd50f83578643c727b36b060b.exe
-
Size
652KB
-
MD5
7971d20d1b569b51e56f37fc734a1c81
-
SHA1
3c1a1fa66cd9890c8e0021853d39ab7b3aefc5c7
-
SHA256
3137663df90055b5c2dd92ff91ed1a0edc6965dbd50f83578643c727b36b060b
-
SHA512
6efbec26eebfcaeed965a46ab22f4870fc6fa93d09818c7cf03782f34c8a768b4defa5b9b1f347ef41798df82c725a3f5a402793d977e6d791fe5b857d36c6a4
-
SSDEEP
12288:nXRAvufNFTr7L/R90rJ2RPBY+K9Yc65vpNpqwDwmuu6TNxFu+i:nXRyUNJr7L30N2RJXKz65vprPqu6hxF+
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
cp8nl.hyperhost.ua - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@#$ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 3 drive.google.com 4 drive.google.com -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\skillfully.ins 3137663df90055b5c2dd92ff91ed1a0edc6965dbd50f83578643c727b36b060b.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2400 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3008 powershell.exe 2400 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3008 set thread context of 2400 3008 powershell.exe 32 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\ukases.lnk 3137663df90055b5c2dd92ff91ed1a0edc6965dbd50f83578643c727b36b060b.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\resources\tuskish\smilehuller.lnk 3137663df90055b5c2dd92ff91ed1a0edc6965dbd50f83578643c727b36b060b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3008 powershell.exe 3008 powershell.exe 3008 powershell.exe 3008 powershell.exe 3008 powershell.exe 3008 powershell.exe 3008 powershell.exe 3008 powershell.exe 2400 wab.exe 2400 wab.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3008 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3008 powershell.exe Token: SeDebugPrivilege 2400 wab.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2132 wrote to memory of 3008 2132 3137663df90055b5c2dd92ff91ed1a0edc6965dbd50f83578643c727b36b060b.exe 28 PID 2132 wrote to memory of 3008 2132 3137663df90055b5c2dd92ff91ed1a0edc6965dbd50f83578643c727b36b060b.exe 28 PID 2132 wrote to memory of 3008 2132 3137663df90055b5c2dd92ff91ed1a0edc6965dbd50f83578643c727b36b060b.exe 28 PID 2132 wrote to memory of 3008 2132 3137663df90055b5c2dd92ff91ed1a0edc6965dbd50f83578643c727b36b060b.exe 28 PID 3008 wrote to memory of 2616 3008 powershell.exe 30 PID 3008 wrote to memory of 2616 3008 powershell.exe 30 PID 3008 wrote to memory of 2616 3008 powershell.exe 30 PID 3008 wrote to memory of 2616 3008 powershell.exe 30 PID 3008 wrote to memory of 2400 3008 powershell.exe 32 PID 3008 wrote to memory of 2400 3008 powershell.exe 32 PID 3008 wrote to memory of 2400 3008 powershell.exe 32 PID 3008 wrote to memory of 2400 3008 powershell.exe 32 PID 3008 wrote to memory of 2400 3008 powershell.exe 32 PID 3008 wrote to memory of 2400 3008 powershell.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\3137663df90055b5c2dd92ff91ed1a0edc6965dbd50f83578643c727b36b060b.exe"C:\Users\Admin\AppData\Local\Temp\3137663df90055b5c2dd92ff91ed1a0edc6965dbd50f83578643c727b36b060b.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Begavede=Get-Content 'C:\Users\Admin\AppData\Local\Ubarberet\Borteskamoteringers\Fridtjof.Bea';$Alpelandet=$Begavede.SubString(59880,3);.$Alpelandet($Begavede)"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"3⤵PID:2616
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
58KB
MD5b747bba9cd5ec658f83a8f004b9ddc9b
SHA1eb25e589a4de7af6afd91ccaf9c12f30aaf3c67a
SHA2564fc178d7b0c912917422d5259e796c28f38a765bc3f56fa14df7480b49a0f2f2
SHA5127e115a0e8cc9b16cd7eeafc6aa6635815763384ab543bb92308c197af849a49e9109f775652151617dc094862313109830091f5d203f582a887595b81b875d9e
-
Filesize
350KB
MD55a078e54f0d5d5d90111e92881a45f0b
SHA196c2419b4e1f9609e11bab95c051780d5a812a3d
SHA256cec934596d590684641da052fa5d39b119c7b668c28925e196213d4258ac75b0
SHA512d6b893adddd088f8c03389a31d10c6b87c0f67f1620739c02821e2f51d4b785abb512fc1e550ba08b653569069d37e62c1f8a54a55845d2b346f9eebb061f569